MSFN Forum: Microsoft patches 22 bugs, stops Autorun hole that helps Conficker

As expected, Microsoft's February Patch Tuesday is big: 22 bugs fixed via 12 updates, including patches for three zero-day exploits. Microsoft also made a change to the Autorun services in XP and Vista that it hopes will put a cramp in the spread of Conficker.

Note that the Internet Storm Center recommends a slightly different priority in patching holes than is recommended by Microsoft. ISC advises that three holes get patched pronto, as exploit code is already available. One of these is for an update rated "important" by Microsoft. ISC's list of pronto patches are for:

MS11-003, a zero-day IE bug disclosed to the public in December that the ISC says is being actively exploited now. It affects all supported versions of IE (6, 7, 8). This was a hole that let attackers hijack a PC by manipulating IE's HTML engine when the browser processed CSS that included "@import" rules, and it sidestepped Windows 7 security.

MS11-004, a zero-day for IIS users that fixes a hole in the Web server's FTP services. Rated "important" as FTP is not turned on by default. However, proof-of-concept code is out there.

MS11-006, the much publicized Graphics Rendering Engine hole that affects Windows XP, Vista, Server 2003. It does not affect Windows 7 nor WS 2008.

Meanwhile, Microsoft has a somewhat different list of which patches should get priority. Instead of the FTP hole, it recommends users immediately deploy patch MS11-007, a hole rated critical because it could allow remote code execution or elevation of privileges. The ISC says it is not aware of exploit code in the wild. It fixes a hole in the Open Type Compact Font Format Driver. The attack requires victims to open a malicious file.

View: Security Bulletin for February 2011
Full story:Network World